Terminology:
SGT - Security Group Tag
SXP - SGT Exchange Protocol over TCP
SXP - SGT Exchange Protocol over TCP
EPS - Endpoint Protection Service
ANC - Adaptive Network Control
TrustSec = Group-Based Policy = Adaptive Policy
Security Group = Scalable Group
Security Group ACL = Contracts
Lab:
ISE3.0, FMC/FTD 7.0.5
ISE3.0, FMC/FTD 7.0.5
Pre-requisite:
FMC pxGrid to ISE is already configured.
Note Session Directory Topic have three ISE services subscribed before SXP Topic is enabled on FMC
FMC, enable SXP Topic
ISE: enable SXP service
ISE: Enable SXP binding on PxGrid
Add SXP Devices
Seems as long as something is list here is fine, doesn't have to be something configured for FMC
Create a Security Group
Create a Authorization rule to apply Security Group
FMC: Create ACP rule to match source SGT
Verification:
ISE:
FMC:
root@fmc67:/var/sf/user_enforcement# uip_reader -f sxp_log_entries.1 -b
current set of sxp bindings
ipPrefix 172.16.1.203/32, tag 16
*************************************
FMC connection event shows connection hit Test-SGT rule and Source SGT is "MAB_Devices"
Comments
Post a Comment